Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Many command shell utilities can be used to obtain this information. Examples includedir
,tree
,ls
,find
, andlocate
.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g.dir
,show flash
, and/ornvram
).(Citation: US-CERT-TA18-106A) Some files and directories may require elevated or specific user permissions to access.
Find or discover files on the file system. Upon successful execution, this test will output the results of all the data discovery commands to a specified file.
Supported Platforms: Windows
auto_generated_guid: 0e36303b-6762-4500-b003-127743b80ba6
| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | File to output results to | string | %temp%\T1083Test1.txt|
1
command_prompt
!dir /s c:\ >> #{output_file}
dir /s "c:\Documents and Settings" >> #{output_file}
dir /s "c:\Program Files\" >> #{output_file}
dir "%systemdrive%\Users\*.*" >> #{output_file}
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> #{output_file}
dir "%userprofile%\Desktop\*.*" >> #{output_file}
tree /F >> #{output_file}
del #{output_file}
Find or discover files on the file system. Upon execution, file and folder information will be displayed.
Supported Platforms: Windows
auto_generated_guid: 2158908e-b7ef-4c21-8a83-3ce4dd05a924
1
powershell
!1
2
3
ls -recurse
get-childitem -recurse
gci -recurse
Find or discover files on the file system
References:
http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/
https://perishablepress.com/list-files-folders-recursively-terminal/
Supported Platforms: Linux, macOS
auto_generated_guid: ffc8b249-372a-4b74-adcd-e4c0430842de
| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | Output file used to store the results. | path | /tmp/T1083.txt|
1
sh
!1
2
3
4
5
6
7
8
ls -a >> #{output_file}
if [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > #{output_file}; fi;
file */* *>> #{output_file}
cat #{output_file} 2>/dev/null
find . -type f
ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
locate *
which sh
1
rm #{output_file}
Find or discover files on the file system
Supported Platforms: Linux, macOS
auto_generated_guid: 13c5e1ae-605b-46c4-a79f-db28c77ff24e
| Name | Description | Type | Default Value | |——|————-|——|—————| | output_file | Output file used to store the results. | path | /tmp/T1083.txt|
1
sh
!1
2
3
4
5
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file}
if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi;
find . -type f -iname *.pdf >> #{output_file}
cat #{output_file}
find . -type f -name ".*"
1
rm #{output_file}
This test emulates MAZE ransomware’s ability to enumerate directories using Powershell. Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window. See https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
Supported Platforms: Windows
auto_generated_guid: c6c34f61-1c3e-40fb-8a58-d017d88286d8
| Name | Description | Type | Default Value | |——|————-|——|—————| | File_to_output | File to output results to | string | $env:temp\T1083Test5.txt|
1
powershell
!1
2
3
4
5
6
7
8
9
10
11
$folderarray = @("Desktop", "Downloads", "Documents", "AppData/Local", "AppData/Roaming")
Get-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}
Get-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output}
Get-ChildItem -Path "${env:ProgramFiles(x86)}" -erroraction silentlycontinue | Out-File -append #{File_to_output}
$UsersFolder = "$env:homedrive\Users\"
foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
{
foreach ($secondarydirectory in $folderarray)
{Get-ChildItem -Path "$UsersFolder/$directory/$secondarydirectory" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}}
}
cat #{File_to_output}
1
remove-item #{File_to_output} -ErrorAction SilentlyContinue
Launches the DirLister executable for a short period of time and then exits.
Recently seen used by BlackCat ransomware to create a list of accessible directories and files.
Supported Platforms: Windows
auto_generated_guid: c5bec457-43c9-4a18-9a24-fe151d8971b7
| Name | Description | Type | Default Value | |——|————-|——|—————| | dirlister_path | Path to the DirLister executable | string | PathToAtomicsFolder\..\ExternalPayloads\DirLister.exe|
1
powershell
!1
2
3
Start-Process "#{dirlister_path}"
Start-Sleep -Second 4
Stop-Process -Name "DirLister"
1
powershell
!1
if (Test-Path "#{dirlister_path}") {exit 0} else {exit 1}
1
2
3
4
5
6
$parentpath = Split-Path "#{dirlister_path}"
New-Item -ItemType Directory -Force -Path $parentpath | Out-Null
Invoke-WebRequest https://github.com/SanderSade/DirLister/releases/download/v2.beta4/DirLister.v2.beta4.zip -OutFile "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip"
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4" -Force
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4\*" "$parentpath" -Recurse
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip","PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4" -Recurse -ErrorAction Ignore
An adversary uses the find command to enumerate vmdks on an ESXi host. Reference
Supported Platforms: Windows
auto_generated_guid: 4a233a40-caf7-4cf1-890a-c6331bbc72cf
| Name | Description | Type | Default Value | |——|————-|——|—————| | vm_host | Specify the host name of the ESXi Server | string | atomic.local| | vm_user | Specify the privilege user account on ESXi Server | string | root| | vm_pass | Specify the privilege user password on ESXi Server | string | pass| | plink_file | Path to Plink | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe| | cli_script | Path to script with file discovery commands | path | PathToAtomicsFolder\T1083\src\esxi_file_discovery.txt|
1
command_prompt
!echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
1
powershell
!1
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"